Feature #6293
open
Support disabling forced flow reuse in low memory conditions
Added by Cole Dishington about 1 year ago.
Updated about 1 month ago.
Description
By default, flow reuse is forced in low memory conditions no matter the state of the flow (see src/flow-hash.c:FlowGetNew:690).
Could we add some config to optionally disable this forced flow-reuse behavior?
- Target version changed from 7.0.1 to 7.0.2
- Target version changed from 7.0.2 to 7.0.3
- Target version changed from 7.0.3 to 8.0.0-beta1
PR=https://github.com/OISF/suricata/pull/10232
SV_PR=https://github.com/OISF/suricata-verify/pull/1607
- Status changed from New to In Review
This feature was requested due to HTTP packets, from a previously blocked TCP connection, getting through during high traffic load. This occurred when a blocked TCP connection's flow was re-used and subsequent packets from the previously blocked TCP connection were not categorized as HTTP.
This was only observed in emergency mode, as the flow timeouts are much shorter.
The solution proposed is to not re-use potentially active flows in emergency mode.
In this solution, new flows will be blocked until older flows are timeout out.
Also available in: Atom
PDF